All posts

Security / Cryptography/PBKDF2

Posted On 02.21.2022

PBKDF2 is a key derivation function, used in the process of deriving encryption keys.

The main idea of PBKDF2 is repeatedly applying the input and the salt to a hash function like HMAC to produce a key, which can be used later on in subsequence operations.

Passwords managers like 1Password and Bitwarden use this function (in a combination of a much more complex scheme) with your Master Password to generate a symmetric key for encrypting and decrypting data in your vault.

The PBKDF2 function takes several input parameters and produces the derived key as output:

Output=PBKDF2(PRFn,Password,Salt,N,KeyLen)

where:

  • PRFn is a pseudorandom function that produces an output length hLen bits, for example, keyed HMAC.
  • Password is the input password
  • Salt is a securely generated random bytes, minium 64 bits but 128 bits is recommended
  • N is the number of iterations of HMAC derivation. For example, in Bitwarden, it’s 100,001 iterations
  • KeyLen is the expected key length for the output, for example, 32 bytes (256 bits)

The iterations count is directly proportional to the time it takes for key derivation. The slower key derivation, the slower login time but the password is more secure against cracking attacks.

The Output is the concatenation of many hLen bit blocks:
Output=T1+T2++TKeyLen/hLen

Each block Ti is computed as:

Ti=F(Password,Salt,N,i)

The function F is the XOR of Count iterations of chained PRFn. Chained mean, the later iterations will use the computed result of the previous iteration as an input:

F(Password,Salt,N,i)=U1U2UN

Where each U is:

U1=PRFn(Password,Salt+Int32BigEndian(i))

U2=PRFn(Password,U1)

UN=PRFn(Password,UN1)

The Output is extracted as the first KeyLen bits of the final hash.


It’s important to note that PBKDF2 is not resistant to GPU attacks for ASIC attacks (attacks using specialized hardware). For new systems, it’s recommended to use a more secure algorithm like Bcrypt, Scrypt, or Argon2 instead.

What’s next?